Quantum Algorithms for Weighing 
Matrices and Quadratic Residues 

Wim van Dam* 
UC Berkeley 
vandam@cs.berkeley.edu 

February 1, 2008 



Abstract 

In this article we investigate how we can employ the structure of com- 
binatorial objects like Hadamard matrices and weighing matrices to device 
new quantum algorithms. We show how the properties of a weighing ma- 
trix can be used to construct a problem for which the quantum query 
complexity is significantly lower than the classical one. It is pointed out 
that this scheme captures both Bernstein & Vazirani's inner-product pro- 
tocol, as well as Grover's search algorithm. 

In the second part of the article we consider Paley's construction of 
Hadamard matrices, which relies on the properties of quadratic characters 
over finite fields. We design a query problem that uses the Legendre 
symbol x (which indicates if an element of a finite field is a quadratic 
residue or not). It is shown how for a shifted Legendre function fsii) = 
xii + s), the unknown s £ can be obtained exactly with only two 
quantum calls to /s. This is in sharp contrast with the observation that 
any classical, probabilistic procedure requires more than logg + log(i^) 
queries to solve the same problem. 



1 Introduction 

The theory of quantum computation investigates how we can use quantum me- 
chanical effects to solve computational problems more efficiently than we can 
by classical means. So far, the strongest evidence that there is indeed a real and 
significant difference between quantum and classical computation is provided 
by Peter Shor's polynomial-time factoring algorithm js^. Most other quantum 
complexity results are expressed in the black-box, or oracle, setting of computa- 
tion with various degrees of separation between the two models. The algorithms 



of — for example — Deutsch||l3|, Dcutsch & Jozsa|14 , Berthiaume & Brassard 



Bernstein & VaziraniM, Simon[E6|, GroverfhS , and Buhrman & van Damit 
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define problems for which we have a quantum reduction in the query complex- 
ity, whereas the lower bounds of Jozsa[^, Bennett et al.^, and Beals et al.^ 
show that there are limits to the advantage that quantum computation can 
give us. The general picture that has emerged from these results is that we 
can only expect a superpolynomial difference between classical and quantum 
computation if we can use the specific structure of the problem that we try to 
solve. The promise on the function of Simon's problem is a typical example of 
such a structure that establishes an exponential quantum improvement over the 
classical complexity!^ It was this same improvement that inspired Shor for 
his result. 

In this article we introduce a general family of structured problems for which 
we prove a better-than-classical query complexity. These results rely heavily on 
the properties of weighing matrices (as defined in combinatorics) and encompass 
the earlier query protocols by Grover[|l5| and Bernstein & Vazirani[||. Follow- 
ing Paley's construction of Hadamard matrices, we also define a more specific 
problem that concerns the determination of a shifted Legendre sequence over 
finite fields. 

In the next section we start with a brief overview of the essential ingredients 
of quantum computation and some of the relevant complexity results for the 
black-box model. Section |^ then explains how the theory of weighing matrices 
can be used as a source for non-trivial, yet structured, unitary operations. In the 
last part of the article (Section ||) our attention will focus on Raymond Paley's 
construction of Hadamard matrices and the theory of quadratic residues for 
finite fields that it uses. This will lead to the definition of a query problem 
which is akin to the inner- product problem of Bernstein & VaziraniQ. 

2 Quantum Computation 

We assume the reader to be familiar with the theory of quantum computa- 
tion. (Otherwise, see the standard references by Berthiaume[H, Nielsen and 
Chuang||2^, or Preskillj2^.) Here we will mainly fix the terminology and nota- 
tion for the rest of the article. 

2.1 Quantum Information Processing 

A system ip oi n quantum bits (qubits) is a superposition of all possible rt-bit 
strings. It can therefore be represented as a normalized vector (or "ket") |V') in 
a 2"-dimensional Hilbert space: 

2;e{0,l}" 

with ax & C and the normalization restriction |q^£cP = 1- The probability 
of observing the outcome "x" when measuring the state ip equals |aa;p. More 
general, when we try to determine if ijj equals the measurement vector \m) = 
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we will get an affirmative answer with probability 

Prob(m|V) := |(m|V)|^ = ^ ^.a^ 

(with P the complex conjugate of /3). An orthogonal measurement basis for an 
A''-dimensional Hilbert space Hn is a set {mi^m^, ■ ■ ■ , m^} of mutually orthog- 
onal state vectors \mi). For such a basis it holds that J2iLi Prob(milV') = for 
every state \ip) € Hn, and that if V' = for a certain s, then Prob(mj|'^) = 1 
if z = s, and Proh{mi\ip) = otherwise. 

The quantum mechanical time evolution of a system ^/i is a linear transforma- 
tion that preserves the normalization restriction. Hence, for a finitc-dimcnsional 
state space Hn, such a transformation can be represented by a unitary matrix 
M e 0{N), for which we can write M\ip) = Xla;=i C(xM\x). An example of a 
one-qubit transformation is the 'Hadamard transform', which is represented by 
the unitary matrix 

H := 1^+1+1 



+1 -1 

On the standard zero/one basis for a bit this transformation has the following 
effect: H|0) = ^(|0) + |1)) and H|l) = j={\0) - 

2.2 Quantum versus Classical Query Complexity 

Consider a problem that is defined in terms of n (unknown) values / (I), . . . , f{n). 
The (probabilistic) query complexity of such a problem is the minimum number 
of times that an algorithm has to 'consult' the string /(I), . . . , f{n) to solve 
the problem (with high probability). A typical example of this setting is the 
calculation of the OR of n bit values: the question whether there is an index 
i with f{i) = 1. The classical probabilistic, query complexity of this task is 
ri(n), whereas in the quantum setting we only need 0(-yri)calls to / to solve 
the problem with high probability. We therefore say that we have a 'quadratic' 
separation between the classical and the quantum query complexity of the OR 
function. The question which tasks allow a quantum reduction in the query 
complexity (and if so, how much) is a central one in quantum complexity re- 
search. 



2.3 Some Earlier Results in Quantum Computing 

In this article we are especially concerned with the query complexity of proce- 
dures that prepare a state that depends on the values of a black-box fmiction. 
For example, how often do we have to read out the bit values of a function 
/ : N ^ C if we want to create the state J2if{^)\^)'^ The following lemma 
shows us that if the range of the function is limited to {—1,+!}, this can be 
done with a single query. 
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Fact 1 (Phase-kick-back trick) Given a function / : N ^ {— 1,+1}, the 

phase changing transition '^^ai\i) —* '^^'^ established with only 

one call to the unknown binary values of f. 

Proof: (See ^ for the original proof.) First, attach to the superposition of 
cti\i) the (two qubit state) 

1^) i(|0)+^/^|l)-|2)-^/^|3)). 

Then, in superposition, add modulo 4 the values /(i) to this register (step a). 
Finally, apply a general phase change \'^) — *■ V— (step 6). It is straightfor- 
ward to see that this yields the desired phase change according to the equation: 



-V^\i) (g> \ip) if/(z)-+l 
if/(z) = -l 

fm)®\ip), 



for every i in the superposition. □ 
The usefulness of such a phase-changing operation is made clear by the following 
result, which is mentioned because the Theorems 0and| of this article are of a 
similar fashion. In 1993 Bernstein & Vazirani gave the following example of a 
family of functions gi , 172 , ■ • ■ that are more easily distinguished with quantum 
queries to g than with classical ones. 

Fact 2 (Inner-Product Problem) Let the black-box function gs ■ {0, 1}" — s- 

{0, 1} be defined by gs{x) = {x, s) := J27=i ^i^i mod 2, where s — (si, . . . , s„) € 
{0, l}" is an unknown n-bit mask. A quantum computer can determine the value 
s exactly with one call to the function gs, whereas any probabilistic, classical 
algorithm needs at least n + log(l — e) queries to gs to perform the same task 
with an error rate of at most e. 

Proof: See for the original proof by Bernstein & Vazirani, and |^ for the 
single query version of it. □ 
The above result uses the unitarity of H®" and its connection with the inner- 
product function. In Section ^ of this article we will do a similar thing for a 
different family of unitary matrices and the Legendre function that it uses. 

Another key result in quantum computation is the square-root speed-up that 
one can obtain when querying a database for a specific element. 

Fact 3 (Grover's search algorithm) Let the function values /(I), . . . , f(n) 
form a string ofn^k zeros and k ones. Knowing k, but not the specific entries 
s for which f{s) — 1, the amplitude changing evolution 



can be established exactly with quantum queries to the function f . 



Proof: See the original article by Lov Grover|15 , or better yet, the excellent 



analysis of it by Boyer et aim □ 
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3 Hadamard Matrices and Weighing Matrices 
in Combinatorics 



The matrix H that we mentioned in the previous section is — in the context of 
quantum computation — caUed the 'Hadamard matrix'. This terminology is a bit 
unfortunate because the same term has aheady been used in combinatorics to 
cover a much broader concept. (See the 1893 article by Jacques Hadamard |ll6| 
for the origin of this term.) 

Definition 1 (Hadamard matrix in combinatorics) In combinatorics, a ma- 
trix M g {—1, +1}"^" is called a Hadamard matrix if and only if M ■ = 
n-ln, where "T" denotes the transpose of a matrix. 

Obviously, when M is a Hadamard matrix in the above sense, then -^M is a 
unitary matrix S U(n). Also, if Mi and M2 are Hadamard matrices, then their 
tensor product Mi ® M^ is a Hadamard matrix as well. It is a famous open 
problem if there exists a Hadamard matrix for every dimension Ak. 

The H^" matrices that we encountered in the section on quantum compu- 
tation form only a small subset of all the Hadamard matrices that we know 
in combinatorics. Instead, the matrices • H*^" should perhaps be called 
"Hadamard matrices of the Sylvester kind" after the author who first discussed 
this specific family of matrices. 

The properties of Hadamard matrices (especially the above mentioned Ak- 
conjecture) is an intensively studied topic in combinatorics, and its complexity 
is impressive given the simple definition. 0, |l^, |2^, |8|, Hp In 1933, Raymond 
Paley proved the existence of two families of Hadamard matrices that are very 
different from Sylvester's 2"-construction. 

Fact 4 (Paley construction I and II) Construction I: For every prime p 
with p — i mod 4 and every integer k, there exists a Hadamard matrix of dimen- 
sion (p'^ + l) X (p'^ + l). Construction II: For every prime p with p = 1 mod 4 and 
every integer k, there exists a Hadamard matrix of dimension (2p*''+2) x (2p*'+2) . 

Proof: See the original article |Q , or any other standard text on combinatorial 

□ 



objects y, pg, 29 



For here it sufRcient to say that Paley's construction uses the theory of quadratic 
residues of finite fields F^i- . Its properties that are relevant for this article are 
discussed in the appendix. 

We can extend the notion of Hadamard matrices by allowing three possible 
matrix entries {—1, +1, 0}, while still requiring the M ■ M'^ cx I„ restriction. We 
thus reach the following definition. 



Definition 2 (Weighing matrix |11, ^^) In combinatorics, a matrix M G 
{— 1, 0, -|-i}"><" is called a weighing matrix if and only if M ■ M^ — k ■ In for 
some < k < n. We will denote the set of such matrices by W(?i, k). 
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Every column and row of a W(n, k) weighing matrix has n~k zeros, and k entries 
or "—1". Clearly, \N{n,n) are the Hadamard matrices again, whereas 
\N{n^n — 1) are also called conference matrices. The identity matrix I„ is an 
example of a W(n, 1) matrix. If Mi G W(ni, ki) and M2 £ W(n2, ^2), then their 
tensor product Mi (g) M2 is an element of W(nin2, ^1^2). This implies that for 
every weighing matrix M g W(n, k) we have in fact a whole family of matrices 
M®* e W(n*, fc*), indexed by t € N. 

Example 1 



+1 
+1 

V 



-1 +1 

-1 

-1 

-1 -1 



-1 
-1 

-1 J 



is a W(4*, 3*) weighing matrix for every t £ N. 



The observation that for every M G W(n, fc) the matrix ■ M £ U(n) 
is a unitary matrix makes the connection between combinatorics and quantum 
computation that we explore in this article. In the next section we will sec how 
the mutually orthogonal basis of such a matrix can be used for a query efRcient 
quantum algorithm. The classical lower bound for the same problem is proven 
using standard, decision tree arguments. 



4 Quantum Algorithms for Weighing Matrices 

In this section we will describe a general weighing-matrix-problem and its quan- 
tum solution. But before doing so, we first mention the following state con- 
struction lemma which follows directly from earlier results on Grover's search 
algorithm. 

Lemma 1 (State construction lemma) Let f : {1, . . . , n} ^ {— 1, 0, -1-1} be 
a black-box function. If we know that k of the function values are or 1", 

and the remaining n — k entries are "0 ", then the preparation of the state 

1 " 

If) /(.)!.), 

requires no more than [f-i/^ +1 quantum evaluations of the black-box function 
f . When k — n, a single query is sufficient. 

Proof: First, we use the amplitude amplification process of Grover's search 
algorithm [p^ described in Fact |^ to create exactly the state X]f=i^°n N) 
with no more than [f queries to /. (See the article by Boyer et al. for 
a derivation of this upper bound. Obviously, no queries are required li k — n.) 
After that, following Fact |l|, one additional /-call is sufficient to insert the proper 
amplitudes, yielding the desired state |/). □ 
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4.1 Weighing Matrix Problem and Its Quantum Solution 



We will now define the central problem of this article, which assumes the exis- 
tence of a weighing matrix. 

Definition 3 (Weighing Matrix Problem) Let M be a W(n, k) weighing 
matrix. Define a set of n functions ff^ : {!,..., n} — > { — 1,0,+!} for every 
s G {1, . . . ,n} by fs^{i) ■— Mgi. Given a function in the form of a black- 
box, we want to determine the parameter s. The (probabilistic) query complexity 
of the weighing matrix problem is the minimum number of calls to the function f 
that is necessary to determine the value s (with error probability at most 1 — ej. 

With the quantum protocol of Lemma |^ we can solve this problem in a straight- 
forward way. 

Theorem 1 (Quantum procedure for the Weighing Matrix Problem) 

For every weighing matrix M G W(n, k) with the corresponding Weighing Ma- 
trix Problem of Definition ^ there exists a quantum algorithm that determines 
s exactly with at most [fy^ + 1 queries to fg '. When n — k, the problem 
can be solved with one query to the function. 

Proof: First, prepare the state = -^11.7=1 fsHi)\i) with [f i/f] + 1 

queries to the function / (Lemma p. After that, measure the state in the basis 
spanned by the vectors |/*^), . . . , \ fn)- Because M is a weighing matrix, this 
basis is orthogonal and hence the outcome of the measurement gives us the value 
s (via the outcome \fs ^)) without error. □ 

4.2 Classical Bounds for Weighing Matrix Problems 

For every possible weighing matrix, the above result establishes a separation 
between the quantum and the classical query complexity of the problem, as is 
shown by the following classical lower bound. 

Lemma 2 (Classical lower bounds for the Weighing Matrix Problem) 

Consider the Weighing Matrix Problem of Definition^ for a matrix M G W(n, k). 
Let d be the number of queries used by a classical algorithm that recovers s with 
an error probability of at moste. This query complexity d is bounded from below 
by the following three inequalities: 

d > log3n + log3(l-e), 

d > (l-e)f"i, 

d > log(;^)-flog(l-£). 

For the case where k — n, this last lower bound equals d > logrt + log(l — e). 

Proof: We will prove these bounds by considering the decision trees that 
describe the possible classical protocols. The procedure starts at the root of 
the tree and this node contains the first index i that the protocol queries to 
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the function /. Depending on the outcome f{i) G { — 1,0, +1}, the protocol 
follows one of the three outgoing edges to a new node v, which contains the 
next query index This routine is repeated until the procedure reaches one 
of the leaves of the tree. At that point, the protocol guesses which function it 
has been querying. With this representation, the depth of such a tree reflects 
the number of queries that the protocol uses, while the number of leaves (nodes 
without outgoing edges) indicates how many different functions the procedure 
can distinguish. 

For a probabilistic algorithm with error probability e, we need to use decision 

trees with at least (1 — e)n leaves. Because the number of outgoing edges cannot 
be bigger than 3, a tree with depth d has maximally 3"^ leaves. This proves the 
first lower bound via 3'' > (1 — s)n. 

For the second and third bound wc have to analyze the maximum size of the 
decision tree as it depends on the values k and n. We know that for every index 
iv, there are only k different functions with f{iv) 7^ 0. This implies that at 
every node v the joint number of leaves of the two subtrees associated with the 
outcomes f{iv) = —1 and +1 cannot be bigger than k. Hence, by considering 
the path (starting from the root) along the edges that correspond to the answers 
f{iv) = 0, wc sec that a decision tree with d queries, can distinguish no more 
than dk + 1 functions. The second bound is thus obtained by the resulting 
inequality dk + 1 > (1 — s)n. (The case fc = 1 is the strongest example of this 
boimd.) 

In a similar fashion, we can use the observation that there are exactly n — k 
functions with f{iv) = for every node v. Now we should consider the binary 
subtree that is spanned by the edges that correspond to the answers f{iv) = +1 
and f{iv) = —1- With depth d, this subtree has at most 2'' leaves and 2'^ — 1 
internal nodes. For the complete tree, each such internal node v gives at most 
n — k additional leaves, which are the functions with f{iv) = 0. In sum, this 
tells us that the total tree (with depth d) has a maximum number of leaves of 
2^ + (2'' -l)(n-fc), leading to the third result: d > log( ^_^^ J +log(l - g). □ 

4.3 Additional Remarks 

The above bounds simplify significantly when we express them as functions of 
big enough n, giving us the following table: 



k 


quantum upper bound 


classical lower bound 


o{n) 


TT / n 1 
4 V fe ^ 


(l-£)f -0(1) 


e(n) 


0(1) 


logs + logs (1 -e) 


n 


1 


logn + log(l — e) 



Note that the n-dimensional identity matrix is a W(n, 1) weighing matrix, 
and that for this I„ the previous theorem and lemma are just a rephrasing (with 
= 1) of the results on Grover's search algorithm for exactly one matching 
entry. The algorithm of Bernstein & Vazirani is also captured by the above as 
the case where k has the maximum value k = n (with the weighing matrices 
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(•\/2 • H)®* e W(2*,2*)). Hence we can think of those two algorithms as the 
extreme instances of the more general weighing matrix problem. 

As we phrased it, a weighing matrix M g W(n, k) gives only one specific 
problem for which there is a classical/quantum separation, but not a problem 
that is defined for every input size TV, as is more customary. We know, however, 
that for every such matrix M, the tensor products M®* are also fc*) weigh- 

ing matrices (for all t € N) . We therefore have the following direct consequence 
of our results. 

Corollary 1 Every weighing matrix M g W(n, k) defines an infinite family 
of \N{N, K) weighing matrix problems, with parameters N — n*" and K — k^ = 
jyiogn ^ Jqj- eyery t G N. By defining 7 — 1 — log„ k we have, for every suitable N, 
a quantum algorithm with query complexity jy/N'^ for which there is a classical, 
probabilistic lower bound of (1 — e) • + o(l). 

Example 2 Using the W(4*,3*) weighing matrices of Example [J, we have 7 = 
1— ^ log3 « 0.21, and hence a quantum algorithm with query complexity 
The corresponding classical probabilistic, lower bound of this problem is (1 — e) • 
+0(1). 

A legitimate objection against the Weighing Matrix Problem is that it does 
not seem to be very useful for solving real-life problems. In order to obtain more 
natural problems one can try to look into the specific structure that constitutes 
the weighing matrix or matrices. An example of such an approach will be given 
in the next section via Paley's construction of Hadamard matrices. We will see 
how this leads to the definition of a problem dealing with quadratic residues of 
finite fields that has a quantum solution that is more efficient than any classical 
protocol. 

5 The Shifted Legendre Sequence Problem 

The query task that we will define in this section relies on some standard prop- 
erties of finite fields. See the appendix of this article for a short but sufficient 
overview of this theory. Especially important is the following function which 
generalizes the Legendre symbol (^) over Z/(pZ) to all finite fields ¥q. (From 
now on, p will alway denote an odd prime, and q — p^ a. power of such a prime.) 

Definition 4 (Legendre symbol over a Finite Field) For every finite field 
Vq, with q — p^ an odd prime power, the Legendre symbol function X ■ ^ 
{— 1,0,+1} indicates if a number is a quadratic residue or not: 

( ifi = 
X{i) <^ +1 if3j^Q:j^=i 

This function is a quadratic, multiplicative character over F^, which implies 
the following result. 
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Fact 5 (Near Orthogonality of Shifted Legendre Sequences) For the 'in- 
ner product ' between two Legendre sequences that are shifted by s and r Cz¥q it 
holds that 

Proof: See the proof of Fact ^ in the appendix. □ 
Raymond Paley used this near orthogonality property for the construction 
of his Hadamard matrices. Here we will use the same property to describe 
a problem that, much the like the weighing matrix problem of the previous 
section, has a clear gap between its quantum and classical query complexity. In 
light of Theorem |^ and Lemma ^ the results of this section are probably not 
very surprising. Rather, we wish to give an example of how we can borrow the 
ideas behind the construction of combinatorial objects for the design of new 
quantum algorithms. In this case this is done by stating a problem that uses 
the Legendre symbol over finite fields. 

Definition 5 (Shifted Legendre Sequence/SLS Problem) Assume that we 
have a black-box for a shifted Legendre function fg : { — 1,0,+!} that obeys 

fs{i) ■= x(* + with the — for us unknown — shift parameter s £ ¥q. The task 
is to determine (with probability I — s) the value s with a minimum number of 
calls to the function f . 

5.1 Classical Query Complexity of the SLS Problem 

Before describing the quantum algorithm for the Shifted Legendre Sequence 
Problem, we will first determine its classical query complexity. The following 
lower bound is established in a way similar to the proof of Lemma |[ 

Lemma 3 (Classical lower bound SLS Problem) Assume a classical al- 
gorithm that tries to solve the shifted Legendre sequence problem over a finite 
field ¥q. To determine the requested value s with a maximum error rate e, 
requires more than logq + log(^!^) queries to the function fg. 

Proof: Consider, like in the proof of Lemma |[ a decision tree with nodes 
V and corresponding query indices iy For every index iy there is exactly one 
function with f{iv) — 0. For the tree this implies that every node v can only 
have two proper subtrees (corresponding to the answers f(i) — +1 and —1) 
and one deciding leaf (the case f^_i){i) = 0). Hence, a decision tree of depth d 
can distinguish no more than 2''+^ — 1 different functions. In order to be able 
to differentiate between (1 — e)q functions, we thus need a depth d of at least 
log((l-e)g +!)-!. □ 
This lower bound of log q queries is also optimal as is shown by the following 
result. 
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Lemma 4 (Classical upper bound SLS Problem) There exists a determin- 
istic, classical protocol that solves the Shifted Legendre Sequence Problem with 
O(logg) queries to the black-box function fs- 

Proof: Let S* C be the set of possible values of s at a given moment during 
the execution of the protocol. (Thus, initially we have S = ¥q, and we want to 
end with the unique answer determined by \S\ = 1.) Below we will show that 
if S has at least 4 elements, then there always exists an index i such that all 
three possible answers to the query ^^f[i)T lead to a reduced the set of options 
S' with |iS"| < ||S'|. By repeating this procedure no more than log(7/log(|) 
times, we can reduce the initial set S' = Fg to four possibilities, which can then 
be checked with three additional queries. 

What follows is the existence proof of such an index for every possible subset 
iS* C Fq. Given a set S and an index i, we have a partition of S in three subsets 
according to the answer x(s + i) to the query ''f{i)7" 

S+ e S and x{s+. {} = +!}, 

Sr - {j|je5andx(s+i)--l}, 
{jbe5andx(s+j)-0}. 

Note that, depending on whether — s is an element of S or not, is either 
{— s} or the empty set. Clearly, one of these three sets will be the reduced set 
S' mentioned in the first part of the proof. 

Define the Legendre matrix L e {— 1, 0, +1}''^^ by Lij :— x{i + j), and let 
zs be the characteristic vector e {0, 1}'' of the subset S C ¥q. The product of 
L and zs yields a new vector Wg with the following property for its i-th entry: 

By the near orthogonality property of the Legendre sequence (Fact H) we know 
that for the matrix L we have L"^ ■ L = qlq — J^, where Jq is the 'all ones' matrix 
of dimension q x q. The inner product ZgZs is the Hamming weight of zs and 
hence equals the size 15*1 of the set S. This implies for the inner product of 
Lzs with itself: {zJL'^){Lzs) = Zg{qlq — Jq)zs = q\S\ — \S'\^ . By the previous 
equation for W5, we thus see that 

q\s\-\s\^ = wiws = E (i^^^i - I'^ri)'- 

This proves that there exist at least one index i for which i\S'^\ — \S'l\)'^ < 
^{q\S\ - \S\^), and hence -^151 < - ISTI < v^- In combination with 
the general bound IS",^] + 15"! < l^l, this gives that for this i both \S^\ and 
\S~\ are less than ^IS"! + For jS*! > 4 this proves that indeed all three 

5+, 5^^ and Sf have size less than H^]. □ 



11 



5.2 Quantum Query Complexity of the SLS Problem 

The above classical upper bound for the Shifted Legendre Sequence Problem 
relied on the near orthogonality property of the Legendre sequence. The same 
is done by the quantum protocol for the SLS Problem, but in a more efficient 
way: only 2 quantum queries are required. 

Theorem 2 (Two query quantum protocol for the SLS Problem) For any 

finite field ¥q, the Shifted Legendre Sequence Problem of Definition |^ can be 
solved exactly with two quantum queries to the black-box function fg. 

Proof: We exhibit the quantum algorithm in detail. We start with the super- 
position 

^|z)|0) + |dummy>|l> 



(The reason for the "dummy" part of state that we use will be clear later in the 
analysis.) The first oracle call is used to calculate the different fs{i) = x(* + s) 
values for the non-dummy states, giving a superposition of states |i,x(* + s)). 
At this point, we measure the rightmost register to see if it contains the value 
"zero". If this is indeed the case (probability ^^), the state has collapsed to 
I — s)|0) which directly gives us the desired answer s. Otherwise, we continue 
with the now reduced state 



i)\x{'i + s)) + |dummy)|l) 



on which we apply a conditional phase change (depending on the x values in 
the rightmost register). We finish the computation by 'erasing' this rightmost 
register with a second call to fs- (For the dummy part, we just reset the value 
to "zero".) This gives us the final state -01 depending on s, of the form 




IV'.)|o) 



^ I H X(« + s)\i) + Idummy) J |0). 



What is left to show is that {|'(/;s)|s G ¥q} forms a set of orthogonal vectors. 
Fact H tells us that for the inner product between two states ips and ^pr it holds 
that (tprl'ips) = 1 if s = r, and ('(/'r|'0s) = if s ^ r. In other words, the states 
V's for s € ¥q are mutually orthogonal. Hence, by measuring the final state in 
the ■i/'-basis, we can determine without error the shift factor s G after only 
two oracle calls to the function fg. □ 
More recently, Peter H0yer has shown the existence of a one query protocol for 
the same problem [private communication]. 
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5.3 Query versus Time Complexity Issues 



The above algorithm only reduces the query complexity to fs- The time com- 
plexity of the protocol is another matter, as we did not explain how to perform 
the final measurement along the tp axes in a time-efficient way. This question, 
whether there exists a tractable implementation of the unitary mapping 



~F \ yZ^(^ + '^)l^) + Idummy) 



is discussed and solved in an independent article |12|. 



6 Conclusion 

We have established a connection between the construction of weighing matrices 
in combinatorics, and the design of new quantum algorithms. It was shown how 
every weighing matrix leads to a query problem that has a more efficient quan- 
tum solution than is possible classically. The earlier known results of Bernstein 
& VaziraniQ and GroverfT^ were shown to be specific instances of this more 
general problem. 

Starting from Paley's construction of Hadamard matrices [p^, we used the 
structure of quadratic residues over finite fields to give a more explicit example 
of a Weighing Matrix Problem. This led to the definition of the Shifted Legendre 
Sequence Problem, which has a constant quantum query complexity, compared 
to a logarithmic classical query complexity. 

Although the results in this article only concern the query complexity of 
black-box problems, it should be viewed as the first step towards the construc- 
tion of quantum protocols that are also time-efficient and that deal with more 
realistic problems. Constructions of Hadamard matrices that are especially in- 
teresting in this context are, for example, the complex Hadamard matrices of 
Turyn||3^ and the Hadamard matrices of the dihedral group type|^, 0. Also, 
the time-efficiency of the quantum solution of (a generalization of) the Shifted 
Legendre Sequence Problem was proven more recently in 
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A Quadratic Residues of Finite Fields 

This appendix describes some standard results about quadratic residues and 
Legendre symbols over finite fields. For more background information one can 
look up references like [^ or [|8j. 

A.l Finite Field Factoids 

Let q — p^ denotes a power of an odd prime p. There always exists a generator 
C for the multiplicative group F* = Fg\{0}. This means that the sequence 
Cj C^i C^i ■ ■ • '^ill generate all non-zero elements of Vq. As this is a set of size 
g— 1, it follows that C = d and hence ^(^-i) = i Hence we have the equivalence 
relation 

= if and only if i — j mod (g — 1) 
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for every integer i and j. 

We now turn our attention to the definition of the generalized Legendre 
symbol x : ^ { — 1, 0, +1} which is defined by: 

( if i = 
Xii) ■■= I +1 ii3j^0:f = i 
[ -1 ifVj:.7V*- 

By the above mentioned equivalence relation, the quadratic expression (C"')^ = 
_ correct if and only if 2j — i mod q — 1. As p is odd, q—1 will be even, 
and hence there can only exists a j with (C-*)^ = C when i is even. Obviously, 
if i is even, then with j = gives a solution to our quadratic equation. This 
proves that 50% of the elements of are a quadratic residue with x{^) = +1) 
while the other half has x{x) — —1. In short: x{C) — and hence for the 

total sum of the function values: x{^) — 0- 



A. 2 Multiplicative Characters over Finite Fields 

The rule xiO ' x(C"') = x{C^'')i in combination with x(0) = 0, shows that the 
Legendre symbol x is a multiplicative character with x{'^) ' xiv) = xi^u) for all 
x,y & ¥q. 

Definition 6 (Multiplicative characters over finite fields) The function x '■ 
¥q C is a multiplicative character if and only if xi^u) — x{x)x{y) f^i^ 
x,y £ ¥q. The constant function xi^) = 1 is called the trivial character. (We 
do not consider the other trivial function x{^) = 0. j 

See [0 for the usage of multiplicative characters in number theory. Some 
of the properties that we will use in this article are: x(l) = 1; if X is nontrivial, 
then x(0) = 0, the inverse of nonzero x obeys xi^"'^) — x{x) ^ = x{x), and 
J2x x(^) = fo^ nontrivial x- 

With these properties we can prove the following fact that we use in the 
article. 

Fact 6 (Near orthogonality of shifted characters) Consider a nontrivial 
character x '■ ¥q —i- C For the 'complex inner product' between two x-^cquences 
that are shifted by s and r € it holds that 

Y,^{^Tr)x{x + s) = i'lZl' 

Proof: (For the quadratic character, these are simple instances of so-called 
Jacobsthal sums |ll9| ; see for example Section 6.1 in |^.) Rewrite 

^ X{x + r)x{x + s) = ^ x(a;)x(a; + A) 



17 



with A := s — r. If ,s = r this sum equals q — 1- Otherwise, we can use the fact 
that xixjxix + A) = x(l + x~^A) = x(A)x(A-i + x~^) (for x ^ 0) to reach 

ExRx(a; + A) = x(A) ^ (A-i+a;-i). 

Earher we noticed that J2x xi^) = 0; a^^d therefore in the above summation 
(where the value x = is omitted) we have J^x x{x~^ + A^^) = ~x{^~^)- 
This confirms that indeed 

X(A) J2 xix-'+A-') = -1, 

which finishes the proof. □ 
Note that the above property should not be confused with the orthogonality 
relation 

between two (possibly different) characters x and x'- 
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